Skip to content

micado-scale/component-security-policy-manager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

131 Commits
app
app
 
 
bin
bin
 
 
lib
lib
 
 
test
test
 
 
.gitattributes
.gitattributes
 
 
.travis.yml
.travis.yml
 
 
Dockerfile
Dockerfile
 
 
Dockerfile-alpine
Dockerfile-alpine
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Component-security-policy-manager

v2.0:

Overview:

This module provides APIs to manage sensitive information, including application sensitive information and infrastructure sensitive information.

Infrastructure sensitive information or infrastructure secret:

  • Create,
  • Read,
  • Update or
  • Delete a secret in Hashicorp Vault

Application sensitive information or application secret:

  • Create,
  • Read,
  • Update or
  • Delete an application secret in kubernetes

Worker node IPsec certificates:

  • Create,
  • Read or
  • Revoke a certificate,
  • Get Certificate Revocation List

Worker node kubernetes join tokens:

  • Create or
  • Invalidate a join token

Security Enablers:

  • Crypto Engine
  • Image Integrity Verifier

How to use the API:

Infrastructure sensitive information or infrastructure secret

  • Add a secret 'secret1' into the vault. If the secret exists, it will be overwritten.

curl -H "Content-Type: application/json" -d '{"name":"secret1","value":"123"}' -X POST spm:5003/v1.0/secrets

  • Update the secret named 'secret1' with a new value

curl -H "Content-Type: application/json" -d '{"value":"456"}' -X PUT spm:5003/v1.0/secrets/secret1

  • Read a secret named 'secret1' from the vault

curl -X GET spm:5003/v1.0/secrets/secret1

  • Delete a secret named 'secret1' from the vault

curl -X DELETE spm:5003/v1.0/secrets/secret1

Application sensitive information or application secret

  • Add an applicaton sensitive information as kubernetes secret and distribute it to pods. If the application service has existing secrets, this function add one more while keeping the other secrets intact.

curl -H "Content-Type: application/json" -d '{"name":"secret1","value":"123"}' -X POST spm:5003/v1.0/appsecrets

  • Retrieve kubernetes secret with id 'secret1'

curl -X GET spm:5003/v1.0/appsecrets/secret1

  • Remove a secret named 'secret1' from the service

curl -X DELETE spm:5003/v1.0/appsecrets/secret1

How to use the automatic test script for managing secrets infrastructure sensitive information:

Assuming that you installed Robot framework successfully (Please follow this link if you has not installed the Robot framework yet: https://github.com/robotframework/QuickStartGuide/blob/master/QuickStart.rst#demo-application)

  1. Launch the vault server in localhost:
storage "file" {
	path = "datafile"
}
listener "tcp" {
	address     = "127.0.0.1:8200"
	tls_disable = 1
}

(all secrets will be written in the file 'datafile' which resides in the same directory with the executable file 'vault')

  • Launch the vault server by command line

./vault server -config=vault.hcl

  1. Edit the file app/vaultclient.py to change VAULT_URL into

VAULT_URL = "http://127.0.0.1:8200"

  1. Run the source code by command line

gunicorn -b 0.0.0.0:5003 app:app

  1. Run the test script by command line

robot test/test_script.rst

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

3 forks
Report repository

Releases 3

v0.10.1 Latest
Feb 22, 2022
+ 2 releases

Packages

No packages published

Contributors 6

Languages